Is Cloud Computing Secure? Prove It

Organizations need to take care to ensure that applications in the cloud are secure and compliant--and can be proven as such. Experts say the public cloud might not be suitable for some applications right now, but that providers will face increasing pressure to develop systems that can be used securely in a cloud computing environment.

The buzz around cloud computing is intense, but that buzz rarely addresses the question of whether cloud computing is safe-or whether you can prove that it's safe.
"Is cloud computing ready for prime time?" asked Amy DeCarlo, principal analyst for managed IT services at Current Analysis. "I would say no. There's not a lot of transparency; there's not a lot of confidence."

And, even if your data really is secure in the cloud, you may not be able to prove it, said DeCarlo.

"[Public cloud providers] don't have the pieces to meet the regulatory requirements; they don't have the means to meet the compliance issues related to security," she said. "That's not to say there won't be a time, or that cloud service providers can't provide something useful to the enterprise."
The issue, according to DeCarlo, is that cloud providers don't meet current compliance rules. What's more, some of those providers, such as Amazon.com, have said that they don't intend to meet those rules and that they won't allow compliance auditors on-site. This pretty much eliminates any chance of using public cloud providers for anything that must meet any of the government regulations involving protected data either in the United States or the European Union.
And it gets more complex.
"Any client using the public cloud that collects personally identifiable information is subject to the regulations of each state where they are," explained IBM Director of Corporate Security Strategy Kris Lovejoy. This means that every place in which the data may reside, or through which the data must pass, can regulate how the data is protected. "How can you ask a company to respond to the requirements of every state, not to mention cross-border situations?" asked Lovejoy.
The use of the public cloud also implies the use of virtualization to move data and compute requirements to the place that's cheapest and/or most suitable. You have no good way of knowing where your data is, how it's protected, or what other data and processing are going on in the same infrastructure. In fact, your provider probably doesn't know, and neither does your auditor.
So, what can you do?
Right now, the public cloud is probably out of the question for any data that's subject to government or industry compliance rules. But that doesn't mean you can't use the public cloud. "There are a lot of use cases for testing, development, beta testing and overflow for applications that don't require compliance," said Lori MacVittie, technical marketing manager for F5 Networks. "Workflows, data entry that's not covered by compliance-things covered by best practices. There are plenty of applications that can go in the cloud."
Applications that work well in the cloud typically have security designed into them from the beginning.
"Web apps have moved very well to the cloud," said Scott Morrison, chief architect and vice president of engineering at Layer 7 Technologies. "The important thing is that you have to take lessons from good service-oriented architecture and good Web architecture. You have to put security into the architecture. You have to make applications secure; then they can move to the cloud."
Morrison adds that it's up to each enterprise to figure out what can be moved to the cloud. "Every application is different, and every application has something that will determine whether they can run in the cloud," he explained. "You need to do an inventory. The cloud is shared, and you don't have the physical demarcation between applications. A lot of security comes down to rigorous ideas that systems have physical boundaries. You can't do that if you don't own the whole show."

Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.